CVE-2023-22247 — XML Injection (aka Blind XPath Injection) in Adobe Commerce

CWE-91 — XML Injection (aka Blind XPath Injection)4 documents4 sources

Severity

7.5HIGHNVD

EPSS

4.8%

top 10.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Commerce Adobe Magento Open Source Magento Community-edition +2 more

Timeline

PublishedMar 27

Description

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDadobe/commerce< 2.4.4+2

▶CVEListV5adobe/magento_commerceunspecified — 2.4.5-p1+2

▶NVDadobe/magento_open_source< 2.4.4+2

▶Packagistmagento/community-edition2.4.5-p1 — 2.4.5-p2+1

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

CVEList

Adobe Commerce XML Injection Arbitrary file system read↗2023-03-27

▶

OSV

Magento Open Source allows XML Injection↗2023-03-27

▶

GHSA

Magento Open Source allows XML Injection↗2023-03-27

▶